No Content-Security-Policy meta tag found error in my phonegap application

Question

After update Cordova 5 0 in my system  I create new applications  When I tested my application on a device that time I get an error in the console log   No Content-Security-Policy meta tag found  Please add one when using the Cordova-plugin-whitelist plugin   23    I add meta in the head section    lt meta http-equiv  Content-Security-Policy  content  default-src    style-src  self   unsafe-inline   script-src   self   unsafe-inline   unsafe-eval  gt    But again  I got the same error  in the application I use in-app browser plugin and 7 of other website links

User · Answer

There is an another issue about connection. Some android versions can connect but some cannot. So there is an another solution

in AndroidManifest.xml:

_x000D_

<application ... android:usesCleartextTraffic="true">_x000D_
        ..._x000D_
    </application>

_x000D_

Just add 'android:usesCleartextTraffic="true"'

and problem solved finally.

User · Answer

After adding the cordova-plugin-whitelist  you must tell your application to allow access all the web-page links or specific links  if you want to keep it specific   You can simply add this to your config xml  which can be found in your application s root directory   Recommended in the documentation    lt allow-navigation href  http   example com      gt    or    lt allow-navigation href  http          gt    From the plugin s documentation      Navigation Whitelist      Controls which URLs the WebView itself can be navigated to  Applies to   top-level navigations only       Quirks  on Android it also applies to iframes for non-http s  schemes       By default  navigations only to file    URLs  are allowed  To allow   other other URLs  you must add  tags to your   config xml    lt  -- Allow links to example com -- gt   lt allow-navigation href  http   example com      gt    lt  -- Wildcards are allowed for the protocol  as a prefix      to the host  or as a suffix to the path -- gt   lt allow-navigation href        example com      gt    lt  -- A wildcard can be used to whitelist the entire network       over HTTP and HTTPS        NOT RECOMMENDED  -- gt   lt allow-navigation href       gt    lt  -- The above is equivalent to these three declarations -- gt   lt allow-navigation href  http          gt   lt allow-navigation href  https          gt   lt allow-navigation href  data      gt

User · Answer

For me the problem was that I was using obsolete versions of the cordova android and ios platforms  So upgrading to android 5 1 1 and ios 4 0 1 solved it   You can upgrade to these specific versions   cordova platforms rm android cordova platforms add android 5 1 1 cordova platforms rm ios cordova platforms add ios 4 0 1

User · Answer

For me it was enough to reinstall whitelist plugin      cordova plugin remove cordova-plugin-whitelist   and then  cordova plugin add cordova-plugin-whitelist   It looks like updating from previous versions of Cordova was not succesful

User · Answer

You have to add a CSP meta tag in the head section of your app s index html  As per https   github com apache cordova-plugin-whitelist content-security-policy     Content Security Policy      Controls which network requests  images  XHRs  etc  are allowed to be made  via webview directly        On Android and iOS  the network request whitelist  see above  is not   able to filter all types of requests  e g   lt video gt   amp  WebSockets are   not blocked   So  in addition to the whitelist  you should use a   Content Security Policy    lt meta gt  tag on all of your pages       On Android  support for CSP within the system webview starts with   KitKat  but is available on all versions using Crosswalk WebView        Here are some example CSP declarations for your  html pages    lt  -- Good default declaration        gap  is required only on iOS  when using UIWebView  and is needed for JS- gt native communication       https   ssl gstatic com is required only on Android and is needed for TalkBack to function properly       Disables use of eval   and inline scripts in order to mitigate risk of XSS vulnerabilities  To change this            Enable inline JS  add  unsafe-inline  to default-src           Enable eval    add  unsafe-eval  to default-src -- gt   lt meta http-equiv  Content-Security-Policy  content  default-src  self  data  gap  https   ssl gstatic com  style-src  self   unsafe-inline   media-src    gt    lt  -- Allow requests to foo com -- gt   lt meta http-equiv  Content-Security-Policy  content  default-src  self  foo com  gt    lt  -- Enable all requests  inline styles  and eval   -- gt   lt meta http-equiv  Content-Security-Policy  content  default-src    style-src  self   unsafe-inline   script-src  self   unsafe-inline   unsafe-eval   gt    lt  -- Allow XHRs via https only -- gt   lt meta http-equiv  Content-Security-Policy  content  default-src  self  https   gt    lt  -- Allow iframe to https   cordova apache org  -- gt   lt meta http-equiv  Content-Security-Policy  content  default-src  self   frame-src  self  https   cordova apache org  gt

User · Answer

There are errors in your meta tag   Yours    lt meta http-equiv  Content-Security-Policy  content  default-src    style-src  self   unsafe-inline   script-src   self   unsafe-inline   unsafe-eval  gt    Corrected    lt meta http-equiv  Content-Security-Policy  content  default-src    style-src  self   unsafe-inline   script-src  self   unsafe-inline   unsafe-eval    gt    Note the colon after  script-src   and the end double-quote of the meta tag

[cordova] "No Content-Security-Policy meta tag found." error in my phonegap application

Examples related to cordova

Examples related to phonegap-plugins

Examples related to whitelist